CVE-2021-36978

MEDIUM

qpdf 9.0.0-9.1.1 and 10.0.0-10.0.4 - Heap-Based Buffer Overflow in Pl_ASCII85Decoder

Title source: llm
STIX 2.1

Description

QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.

Scores

CVSS v3 5.5
EPSS 0.0127
EPSS Percentile 66.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-787
Status published
Products (1)
qpdf_project/qpdf 9.0.0 - 9.1.1
Published Jul 20, 2021
Tracked Since Feb 18, 2026